Monthly newsletter Weekly news roundup Breaking news notification      

Self-insured organisations falling behind with HIPAA compliance

Get free weekly news by e-mailFollowing far behind insurance companies and healthcare providers, only about 40 percent of US self-insured organisations have begun to work toward the security requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA), according to META Group, Inc.

"Many of these companies, particularly those with less than $1 billion in annual revenues, have only recently become aware that the HIPAA requirements apply to them, and less than half of them have begun the first or second phase of compliance efforts, including risk assessment and gap analysis," said Paul Proctor, vice president with Security & Risk Strategies at META Group. "The majority of them will have a very difficult time meeting the April 21st, 2005, deadline for compliance, and we're clearly recognising the trend we identified with the HIPAA Privacy Rule — that most companies will wait until the last minute to address this important issue."

Most self-insured companies are in danger of failing to meet the HIPAA security requirements, and for many, the problem is that they think it applies only to insurance companies and healthcare providers. In fact, any organisation that handles any individually identifiable healthcare information for insurance purposes for 50 or more individuals is liable for meeting HIPAA requirements, including the security requirements. There are substantial penalties each time an organisation fails to meet the 18 standards and 36 implementation specifications.

META Group advises organisations that self-insure to consider outsourcing administration of their insurance to move all electronic protected health information out of their organisations. However, organisations need to thoroughly investigate their outsourcer to ensure that it meets the HIPAA Security Rule.

META Group finds that HIPAA compliance continues to be a critical, but underestimated, business imperative. While the IT department often leads the way to security compliance, META Group's analysts and consultants strongly suggest pragmatic, actionable solutions that include advising the entire organisation about the security requirements needed to meet the HIPAA challenge.

"All HIPAA-exposed entities, including insurance companies, providers, and self-insured organisations need to address security concerns as a core competency across the enterprise," said Robert Booz, vice president with Insurance Information Strategies at META Group. "The elements of the final HIPAA security rules include administrative procedures, as well as physical and technical safeguards, so every business within the organisation needs to be involved."

Date: 27th May 2004 •Region: N.America •Type: Article •Topic: ISM
Rate this article or make a comment - click here


Copyright 2004 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help